SP Security Empowerment Materials

DRAFT 2.0

The following materials will help SPs, Hosting Centers, and Operators of any large network get details on a wide range of SP Security techniques. Many of these techniques are taking advantage of technologies that already exist in the network – it just takes a bit of time to empower yourself and deploy them. Most of these techniques are different from traditional enterprise approaches to security – using the tools of forwarding, QOS, and other technologies used to glue the Internet together to protect the Internet. Many of the links are to materials with a Video on Demand (i.e. the NANOG Sessions and Cisco Powersessions). These help you hear from people who are doing the technique and/or created the technique – many from large networks themselves.

STEP 1: Join Communities of People Working Together to Mitigate Miscreant Activities

Security on an SP’s Network is not something you can do alone. Effective security mitigation and prevention dictates the need to collaborate and work with peers all over the planet. Prior to September 2002, there were not any SP Security communities who worked with each other to mitigate threats. Today there are several groups – each evolving specialties.

It is strongly encouraged for all SPs to join and activity participate in these mitigation communities. In fact, not doing so is viewed as putting their SP business at severe risk to revenue disrupting events.

NSP-SEC

NSP-SEC is one of the best inter-provide mitigation forums active today. It is a community that is more than a mailing list, with secure line of communication and regular meetings. Details for NSP-SEC are listed here:

http://puck.nether.net/mailman/listinfo/nsp-security

NSP-SEC’s Charter

“Cyber defenders, ever vigilant, ever responsive.” -Marjorie Gilbert, 2003

The nsp-security [NSP-SEC] forum is a volunteer incident response mailing list, which coordinates the interaction between ISPs and NSPs in near real-time and tracks exploits and compromised systems as well as mitigates the effects of those exploits on ISP networks. The list has helped mitigate attacks and will continue to do so.

Who Qualifies for NSP-SEC Membership?

Step one is to insure you meet the qualifications for NSP-SEC. Some common questions to ask yourself are:

  • Do you work for some type of IP transit provider, huge multi-homed content provider, or service provider?
  • Does your job include Operational Security?
  • Are you willing to offer free services, data, forensic, and other monitoring data to the NSP community?
  • Do you have authorization to actively mitigate incidents in your network? Do you actually log into a router and do something to mitigate an attack or call someone to task them to do the work?
  • Do you have the time for a real-time NSP mitigation forum?

If yes, then you might fit the expectations to be on the NSP-SEC Mitigation or Discussion Forums.

How to Join NSP-SEC?

Joining NSP-SEC is not simple – requiring layers of trust to be built with members of the community. Trust is built by working with members of the community. The challenge is finding out who is part of NSP-SEC so you can stat building a trust relationship. The following are guidelines that are known to build trust relationships to get on NSP-SEC. It is a path which will benefit the SP Security operator (or just a normal SP Engineer).

  1. SP Security Contacts for all your Upstream SPs. Many of the large SP’s in the world are already part of the NSP-SEC community. So insuring you have the SP Security contact information for all your upstreams is a way to built trust relationships. Besides, you need to have this information in case there is a critical security incident.

  1. DSHIELD Membership. DSHIELD (see below) is a community which actively analysis and mitigates issues on the Internet. It is another sphere of trust with members who intersect with the NSP-SEC world.

  1. NSP-SEC BOFs. Meeting people in person is perhaps the best way to get to know other NSP-SEC members. For that reason, NSP-SEC has BOF sessions at NANOG (www.nanog.org), RIPE (www.ripe.net), and APRICOT (www.apricot.net).

  1. Drone Armies. Drone Armies offers a different and broader community mix as compared to NSP-SEC. There may be more people who know you on Drone-Armies than on NSP-SEC. Yet, there are a lot of NSP-SEC members on Drone-Armies (and visa-versa).

  1. National CERTs. Meet your national CERT. Know the members, actively participate, and promote their activities. Many National CERTS are on NSP-SEC.

DSHIELD

DShield provides a platform for users of firewalls to share intrusion information. DShield is a free and open service. If you use a firewall, please submit your logs to the DShield database. You may either download one of our ready to go client programs, write your own, or use our Web Interface to manually submit your firewall logs. Registration is encouraged, but is not required. Everybody is welcome to use the information in the DShield reports and database summaries to protect their network from intrusion attempts.

Distributed Detection Systems Individuals and Organizations can participate:

Dshield – www.dshield.org

MYNETWATCHMAN

he primary issue in internet security is not that hackers troll the Internet, but rather that the Internet is chock full of insecure systems which are easily compromised, providing means for hackers to perform untraceable, indirect attacks. The only profound way to improve Internet security is to reduce the number compromised systems and minimize the amount of time that a system remains in a compromised state. (Click here to learn more about the myNetWatchman Vision.) myNetWatchman achieves its goals through:

  • Security Event Aggregator
  • Centralized, web-based firewall log analyzer
  • Fully automated abuse escalation/management system

www.mynetwatchman.com

DRONE-ARMIES

Drone-Armies’s mission brings together NSPs, Big Enterprises, Security Solutions vendors, Operating System Vendors, Networking Vendors, and Researchers together is an aggressive mitigation forum. It is a parallel forum to NSP-SEC. While NSP-SEC’s membership community focuses on the SP operational security community, Drone Armies focuses on the strength of the synergy of diversity to mitigate threats – combining host protection interest – system protection interest – and network protection interest. The nature of the community tends to focus on BOTNET and Trojan/Worm/Virus disruption.

https://linuxbox.org/cgi-bin/mailman/listinfo/da

How to Join Drone Armies?

To apply, please sign up via:

https://linuxbox.org/cgi-bin/mailman/listinfo/mwp

MWP – Malware Providers

MWP is a mitigation community specializes in detecting and reporting detected malware hosting(s). These include droppers trojans, phish, and other miscreant systems. The community is inclusive of a broad segment of the white hat community. Phishing detection/disruption is one of the general consequence of MWP’s detecting and reporting.

How to Join MWP?

To apply, please sign up via:

https://linuxbox.org/cgi-bin/mailman/listinfo/mwp

STEP 2: Deploy the Basics

TEAM CYMRU Templates and Tools

Team CYMRU provides configuration templates, security templates, and other services to help make the Internet a safer place to network. These can be found at:

http://www.cymru.com/

The Original Backscattered Traceback and Customer Triggered Remote Triggered Black Hole Techniques

http://www.secsup.org/Tracking/

http://www.secsup.org/CustomerBlackHole/

What is a BOTNET?

One of the best write ups is from a freeware tool gone commercial (I guess so they can scale).

http://swatit.org/bots/index.html

NANOG SP Security Seminars and Talks

The NANOG Coordination Committee actively works to product sessions and seminars to help foster security on the Internet. All sessions are taped and converted to VOD for all to use for their personal education. Over time, this effort has generated a valuable On-Line Tutorial for engineers and organzations seeking to learn more about running a more secure network.

NANOG Security Tutorial Series

Tutorial: Implementing a Secure Network Infrastructure (Part I)

Tutorial: ISP Security – Real World Techniques I – Remote Triggered Black Hole Filtering and Backscatter Traceback.

Tutorial: ISP Security – Real World Techniques II – Secure the CPE Edge

Tutorial: ISP Security: Deploying and Using Sinkholes

Tutorial: Deploying IP Anycast

NANOG Security Sessions

A Day in the Security Life of a Service Provider—Qwest

http://www.nanog.org/mtg-0501/donsmith.html

Team Cymru Bogon Route Servers

http://www.nanog.org/mtg-0501/deitrich.html

Options for Blackhole and Discard Routing

http://www.nanog.org/mtg-0410/soricelli.html

ISP Security Toolkits

http://www.nanog.org/mtg-0410/battles.html

Botnets

http://www.nanog.org/mtg-0410/kristoff.html

What Will Stop Spam?

http://www.nanog.org/mtg-0410/stiles.html

DNSSEC Deployment: Big Steps Forward; Several Steps to Go

http://www.nanog.org/mtg-0410/crocker.html

Tracking Global Threats with the Internet Motion Sensor

http://www.nanog.org/mtg-0410/bailey.html

Implications of Securing Backbone Router Infrastructure

http://www.nanog.org/mtg-0405/mcdowell.html

Preparing RIR Allocation Data for Network Security Analysis Tasks

http://www.nanog.org/mtg-0405/trammell.html

Integrated Security for SNMP-Based Management

http://www.nanog.org/mtg-0405/hardaker.html

Watching Your Router Configurations and Detecting Those Exciting Little Changes

http://www.nanog.org/mtg-0310/rancid.html

Building a Web of Trust

http://www.nanog.org/mtg-0310/abley.html

The Relationship Between Network Security and Spam

http://www.nanog.org/mtg-0310/spam.html

Simple Router Security, What Every ISP Router Engineer Should Know and Practice

http://www.nanog.org/mtg-0310/routersec.html

Flawed Routers Flood University of Wisconsin Internet Time Server

http://www.nanog.org/mtg-0310/plonka.html

Trends in Denial of Service Attack Technology

http://www.nanog.org/mtg-0110/cert.html

Recent Internet Worms: Who Are the Victims, and How Good Are We at Getting the Word Out?

` http://www.nanog.org/mtg-0110/moore.html

DoS Attacks in the Real World

http://www.nanog.org/mtg-0110/irc.html

Diversion & Sieving Techniques to Defeat DDoS

http://www.nanog.org/mtg-0110/afek.html

DNS Damage – Measurements at a Root Server

http://www.nanog.org/mtg-0202/evi.html

Protecting the BGP Routes to Top Level DNS Servers

http://www.nanog.org/mtg-0206/bush.html

BGP Security Update

http://www.nanog.org/mtg-0206/barry.html

Industry/Government Infrastructure Vulnerability Assessment: Background and Recommendations

http://www.nanog.org/mtg-0206/avi.html

A National Strategy to Secure Cyberspace

http://www.nanog.org/mtg-0210/sachs.html

How to 0wn the Internet in Your Spare Time

http://www.nanog.org/mtg-0210/vern.html

ISP Security BOF I

http://www.nanog.org/mtg-0210/securebof.html

The Spread of the Sapphire/Slammer Worm

http://www.nanog.org/mtg-0302/weaver.html

ISP Security BOF II

http://www.nanog.org/mtg-0302/securebof.html

The BGP TTL Security Hack

http://www.nanog.org/mtg-0302/hack.html

Security Considerations for Network Architecture

http://www.nanog.org/mtg-0302/avi.html

Lack of Priority Queuing on Route Processors Considered Harmful

http://www.nanog.org/mtg-0302/gill.html

Interception Technology: The Good, The Bad, and The Ugly!

http://www.nanog.org/mtg-0306/schiller.html

The NIAC Vulnerability Disclosure Framework and What It Might Mean to the ISP Community

http://www.nanog.org/mtg-0306/duncan.html

Inter-Provider Coordination for Real-Time Tracebacks

http://www.nanog.org/mtg-0306/moriarity.html

ISP Security BOF III

http://www.nanog.org/mtg-0306/securitybof.html

S-BGP/soBGP Panel: What Do We Really Need and How Do We Architect a Compromise to Get It?

http://www.nanog.org/mtg-0306/sbgp.html

BGP Vulnerability Testing: Separating Fact from FUD

http://www.nanog.org/mtg-0306/franz.html

BGP Attack Trees – Real World Examples

http://www.nanog.org/mtg-0306/hares.html

NRIC Best Practices for ISP Security

http://www.nanog.org/mtg-0306/callon.html

RIPE SP Security Presentations

RIPE-46 BoF: NSP-SEC (Hank Nussbacher)

http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-nspbof-nsp-sec.pdf

IRT Object in the RIPE Database (Ulrich Kiermayr)

http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-nspbof-irt.pdf

Operational Security Requirements (George M. Jones)

http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-techsec-ops-security.pdf

Infrastructure Security (Nicholas Fischbach)

http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-nspbof-fischbach.pdf

MPLS-Based Traffic Shunt PDF (Nicholas Fischbach)

http://www.ripe.net/ripe/meetings/ripe-46/presentations/ripe46-eof-fischbach.pdf

Address Space and AS Number Hijacking (Leslie Nobile, Leo Vegoda)

http://www.ripe.net/ripe/meetings/ripe-48/presentations/ripe48-eof-nobile-vegoda.pdf

Managing a DoS Attack (Vincent Gillet, Jean-michel Valey)

http://www.ripe.net/ripe/meetings/ripe-48/presentations/ripe48-eof-gillet.pdf

ETSI & Lawful Interception of IP Traffic (Jaya Baloo)

http://www.ripe.net/ripe/meetings/ripe-48/presentations/ripe48-eof-etsi.pdf

Securing a Core Network: Tutorial (Michael Behringer)

http://www.ripe.net/ripe/meetings/ripe-49/presentations/ripe49-eof-security-tutorial.pdf

Cisco SP Security Powersession Series

Service Providers Power Session in Dulles, Virginia, on October 20 and 21, 2004

http://www.ciscotmme.com/go/securitypowersession/presentations.lasso

Powersession on Core Security (4-6 May 2004)

http://www.ciscoeventreg.net/go/networkers/agenda9.lasso

CPN Summit SP Security Materials (April 2004)

ftp://ftp-eng.cisco.com/cons/isp/security/CPN-Summit-2004/

Sydney Australia SP Security Powersession

DAY 1: Thursday, December 1, 2005

9:00 – 10:30 – How “SP/ISP/ASP and Big Network Security Differs from all Other Types of Traditional Network Security, Barry Greene, Security Architect, Cisco Systems, Inc.

11:00 – 12:00 – Identifying and Classifying Attacks and Security Incidents, Kunjal Trivedi, Product Manager, Cisco Systems, Inc.

13:00 – 14:00 – SP Control Place security – BGP

14:00 – 15:00 – DDoS Attack Methodology , Seo Boon Ng, Network Consulting Engineer, Cisco Systems, Inc.

15:30 – 17:00 – Protect the Infrastructure, Kunjal Trivedi, Product Manager, Cisco Systems, Inc. and Tony Kirkham, Network Consulting Engineer, Cisco

DAY 2: Friday, December 2, 2005

09:00 – 10:30 – How to Build a Security Operations Center, Barry Greene, Security Architect, Cisco Systems, Inc.

11:00 – 12:00 – Deploying Security Techniques –Using uRPF, rACLs, and other Tools as a Deployment Example, Tony Kirkham, Network Consulting Engineer, Cisco Systems, Inc.

13:00 – 14:00 – Principles of the Miscreants-Economic Theory, Cyberwar, Ego in Today’s Attacks, Barry Greene, Security Architect, Cisco Systems, Inc.

14:00 – 15:00 – Core Hiding – ISIS and Forwarding as a Security Tool, Seo Boon Ng, Network Consulting Engineer, Cisco Systems, Inc.

Cisco SP Security Materials

BGP ‘Attack Tree’ – Realities of BGP Security: Cisco’s CIAG Team moves beyond the armchair hypothesizing of BGP Security Risk and runs test again the industry’s multiple implementations of BGP

http://wwwin-people.cisco.com/sean/ciag-bgp-blackhatv2.pdf

Protecting Your Core: Infrastructure Protection Access Control Lists

Infrastructure Protection on Cisco IOS Software-based Platforms

(Giving Lots of Hardware Examples)

Risky Business
All security professionals should listen to this podcast every week!